In a technical analysis Oasis Security said a high severity vulnerability dubbed “ClawJacked” in the self-hosted AI platform OpenClaw allowed malicious websites to brute force a local management password and take control of instances. OpenClaw released a fix in version 2026.2.26 on February 26. In lab testing attackers reached hundreds of password guesses per second from browser JavaScript.
KEY FACTS
- Incident ClawJacked vulnerability enabled local OpenClaw hijack
- Product OpenClaw self-hosted AI platform
- Fix OpenClaw 2026.2.26 released February 26
- Attack speed hundreds of password guesses per second from browser JavaScript
- Impact authenticated access can register trusted device and execute commands
The OpenClaw gateway binds to localhost by default and exposes a WebSocket interface. Browser cross origin policies do not block WebSocket connections to localhost, allowing JavaScript on a visited website to open a silent connection to the local gateway and attempt authentication.
The loopback address 127.0.0.1 was exempt from rate limiting by default so brute force attempts were not throttled or logged. The gateway also automatically approved device pairings from localhost without requiring user confirmation.
At a sustained rate of hundreds of guesses per second a common password list can be exhausted in under a second and larger dictionaries in minutes. Once an attacker obtains valid credentials they can register as a trusted device with admin permissions and interact with the platform.
With authenticated access an attacker can dump credentials, list connected nodes, read application logs, exfiltrate files from paired devices, or instruct agents to run arbitrary shell commands, which can lead to full workstation compromise. OpenClaw tightened WebSocket checks and added protections to prevent abusing localhost loopback connections in the patch released within 24 hours.
WHY IT MATTERS
A malicious webpage can hijack a locally running OpenClaw instance without user interaction if installations are unpatched. Updating to version 2026.2.26 or later removes the weakness that allowed automated brute force and silent device pairing abuse.